* h.323 firewall
@ 2002-11-14 18:18 vincent blondel
2002-11-14 20:18 ` Rasmus Reinholdt Nielsen
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: vincent blondel @ 2002-11-14 18:18 UTC (permalink / raw)
To: netfilter
Hi,
I want to implement in our organisation a complete video conferencing
infrastructure but I am completely novice
in this matter. I read a lot of documentation these last days but there are
some points that stay not clear.
As you can see it above, we want to open domains DEV1 and DEV2 to the net
for h.323 traffic.
The current situation incorporates :
10.66.0.xxx
+---------------+
| SMC7008BR |
+---------------+
10.66.1.xxx
DEV2
| |
+---------+-+ +--+--------+
| slack 8.0 | | Slack 8.0 |
+-----------+ +-----------+
192.168.0.xxx +-----+ 10.66.0.xxx
| pp0 | +---------------+
+--+--+ | switch |
| +---------------+
| DMZ
+-------+ +-------------+
| NS2 | | NS1
|
10.66.0.xxx | HTTP2| | HTT1 |
+---------------+ +-------+ | FTP +--ISP
| SMC7008BR| | SMTP |
+---------------+ +-------------+
192.168.0.xxx 192.168.0.xxx
DEV1
| |
+-----------+-+ +-+---------+
| linux | .... | w2k |
+-------------+ +-----------+
GnomeMeeting NetMeeting
- a firewall iptables on NS1 and NS2
- communcication with the net is passing through our DMZ zone
- DMZ integrates 2 servers linux slackware 8.0 / kernel 2.4.18 /
patch-o-matic-20020825 / iptables 1.2.7a
- DMZ is configured with nat feature for traffic between DEV1/DEV2 and the
net
- DEV1/DEV2 includes some 15 users with webcams and/or H323 compliant
equipment.
So the problems I encounter are the following :
- As all I could see on the net, all config examples represent configuration
with one client using h.323 protocol
#! /bin/bash
EXTERNAL_IF=eth0
EXTERNAL_IP=mon.ip.pub.lic
PCA_HOST=mon.ip.pri.vee
$IPTABLES=/usr/local/sbin/iptables
/sbin/modprobe -a -k -s -v ip_nat_h323
logger -s "H323 Ports"
H323_PORTS="389 522 1503 1720 1731 8080"
for PORT in $H323_PORTS; do
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF -p tcp -d $EXTERNAL_IP \
--dport $PORT -m state --state NEW,ESTABLISHED,RELATED \
-j DNAT --to-destination $PCA_HOST -v
done
logger -s "H323 Ports"
H323_PORTS="389 522 1503 1720 1731 8080"
for PORT in $H323_PORTS; do
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF -p udp -d $EXTERNAL_IP \
--dport $PORT -m state --state NEW,ESTABLISHED,RELATED \
-j DNAT --to-destination $PCA_HOST -v
... I found above iptables config example but problem for me is I have 15
users and not one
- I have installed iptables/NAT on my DMZ servers but I remarked some
clients as GnomeMeeting 0.94 are full NAT compliant
... so what does it mean, that my linux clients will have some troubles
because I use two products producing NAT
... capabilities ??? and what about Ms Netmeeting and ip_nat_h323 ???
- I patched my kernels 2.4.18 with patch-o-matic-20020825 to use ip_nat_h323
... ok but is this module a solution for me to redirect h.323 traffic
between
... internet --> 10.66.0.xxx --> 192.168.0.xxx
... internet --> 10.66.0.xxx --> 10.66.1.xxx
... 192.168.0.xxx --> 10.66.0.xxx --> internet
... 10.66.1.xxx --> 10.66.0.xxx --> internet
but the problem is I have concurrent connections .
- I read yesterday that it is possible to concentrate h.323 connections on a
gatekeeper as OpenH323 Gatekeeper
... do you think I have to use a gatekeeper with iptables ???
So maybe you can find my questions stupid or without any sense but I repeat
it I got no experience with this.
So, with information I received I imagine to impelement my h.323
infrastructure as mentionned below.
- configuring iptables on NS1 (10.66.0.1) with the script mentionned above
and replacing PCA_HOST with ip adress of NS2 (10.66.0.2)
- installing OpenH323 gatekeeper on NS2 (10.66.0.2)
- configuring all clients with gatekeeper NS2 (10.66.0.2).
So, thanks for any comment, remark, experience, suggestions and/or
corrections on what I mentionned above.
Thanks in advance.
Vincent
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: h.323 firewall
2002-11-14 18:18 h.323 firewall vincent blondel
@ 2002-11-14 20:18 ` Rasmus Reinholdt Nielsen
2002-11-15 5:34 ` Some go through, some don't Tomasz Korycki
2002-11-14 20:37 ` h.323 firewall Arnt Karlsen
2002-11-15 10:57 ` Thomas Heinz
2 siblings, 1 reply; 8+ messages in thread
From: Rasmus Reinholdt Nielsen @ 2002-11-14 20:18 UTC (permalink / raw)
To: vincent blondel, netfilter
Hi
Try take a look at http://linux-igd.sourceforge.net/ - it works for me. And
also surf the achives for today and yesterday, since this topic also was
discussed earlier today.
/Rasmus
At 19:18 14-11-2002 +0100, vincent blondel wrote:
>Hi,
>
>I want to implement in our organisation a complete video conferencing
>infrastructure but I am completely novice
>in this matter. I read a lot of documentation these last days but there are
>some points that stay not clear.
>
>As you can see it above, we want to open domains DEV1 and DEV2 to the net
>for h.323 traffic.
>
>The current situation incorporates :
>
> 10.66.0.xxx
> +---------------+
> | SMC7008BR |
> +---------------+
> 10.66.1.xxx
> DEV2
> | |
> +---------+-+ +--+--------+
> | slack 8.0 | | Slack 8.0 |
> +-----------+ +-----------+
> 192.168.0.xxx +-----+ 10.66.0.xxx
> | pp0 | +---------------+
> +--+--+ | switch |
> | +---------------+
> | DMZ
> +-------+ +-------------+
> | NS2 | | NS1
>|
> 10.66.0.xxx | HTTP2| | HTT1 |
> +---------------+ +-------+ | FTP +--ISP
> | SMC7008BR| | SMTP |
> +---------------+ +-------------+
> 192.168.0.xxx 192.168.0.xxx
> DEV1
> | |
> +-----------+-+ +-+---------+
> | linux | .... | w2k |
> +-------------+ +-----------+
> GnomeMeeting NetMeeting
>
>- a firewall iptables on NS1 and NS2
>- communcication with the net is passing through our DMZ zone
>- DMZ integrates 2 servers linux slackware 8.0 / kernel 2.4.18 /
>patch-o-matic-20020825 / iptables 1.2.7a
>- DMZ is configured with nat feature for traffic between DEV1/DEV2 and the
>net
>- DEV1/DEV2 includes some 15 users with webcams and/or H323 compliant
>equipment.
>
>So the problems I encounter are the following :
>
>- As all I could see on the net, all config examples represent configuration
>with one client using h.323 protocol
>
> #! /bin/bash
> EXTERNAL_IF=eth0
> EXTERNAL_IP=mon.ip.pub.lic
> PCA_HOST=mon.ip.pri.vee
>
> $IPTABLES=/usr/local/sbin/iptables
>
> /sbin/modprobe -a -k -s -v ip_nat_h323
>
> logger -s "H323 Ports"
> H323_PORTS="389 522 1503 1720 1731 8080"
> for PORT in $H323_PORTS; do
> $IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF -p tcp -d $EXTERNAL_IP \
> --dport $PORT -m state --state NEW,ESTABLISHED,RELATED \
> -j DNAT --to-destination $PCA_HOST -v
> done
>
> logger -s "H323 Ports"
> H323_PORTS="389 522 1503 1720 1731 8080"
> for PORT in $H323_PORTS; do
> $IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF -p udp -d $EXTERNAL_IP \
> --dport $PORT -m state --state NEW,ESTABLISHED,RELATED \
> -j DNAT --to-destination $PCA_HOST -v
>
> ... I found above iptables config example but problem for me is I have 15
>users and not one
>
>- I have installed iptables/NAT on my DMZ servers but I remarked some
>clients as GnomeMeeting 0.94 are full NAT compliant
> ... so what does it mean, that my linux clients will have some troubles
>because I use two products producing NAT
> ... capabilities ??? and what about Ms Netmeeting and ip_nat_h323 ???
>
>- I patched my kernels 2.4.18 with patch-o-matic-20020825 to use ip_nat_h323
> ... ok but is this module a solution for me to redirect h.323 traffic
>between
> ... internet --> 10.66.0.xxx --> 192.168.0.xxx
> ... internet --> 10.66.0.xxx --> 10.66.1.xxx
> ... 192.168.0.xxx --> 10.66.0.xxx --> internet
> ... 10.66.1.xxx --> 10.66.0.xxx --> internet
>
> but the problem is I have concurrent connections .
>
>- I read yesterday that it is possible to concentrate h.323 connections on a
>gatekeeper as OpenH323 Gatekeeper
> ... do you think I have to use a gatekeeper with iptables ???
>
>So maybe you can find my questions stupid or without any sense but I repeat
>it I got no experience with this.
>
>So, with information I received I imagine to impelement my h.323
>infrastructure as mentionned below.
>
>- configuring iptables on NS1 (10.66.0.1) with the script mentionned above
>and replacing PCA_HOST with ip adress of NS2 (10.66.0.2)
>- installing OpenH323 gatekeeper on NS2 (10.66.0.2)
>- configuring all clients with gatekeeper NS2 (10.66.0.2).
>
>So, thanks for any comment, remark, experience, suggestions and/or
>corrections on what I mentionned above.
>Thanks in advance.
>
>Vincent
^ permalink raw reply [flat|nested] 8+ messages in thread
* Some go through, some don't...
2002-11-14 20:18 ` Rasmus Reinholdt Nielsen
@ 2002-11-15 5:34 ` Tomasz Korycki
2002-11-15 13:55 ` Arnt Karlsen
0 siblings, 1 reply; 8+ messages in thread
From: Tomasz Korycki @ 2002-11-15 5:34 UTC (permalink / raw)
To: netfilter
Hi,
I have a four-armed router with netfilter on it. There are two internal
networks: let's call them
A.B.x.y and E.F.G.x.. The inside interfaces will be A.B.129.1 and E.F.G.246.
The two outside interfaces: let's call them 1.2.3.4 and 5.6.7.8, but they
do not matter
On host E.F.G.250 (which I'm on right now) I want to connect to a CVS on
A.B.1.65. I can't.
I could earlier on today. Hm. I dial-up the CVS - everything fine there. I
go back to a terminal here,
try to ping A.B.1.65 - I get answers. But traceroute comes back with
E.F.G.246 - !H, host unreachable.
Interesting. Looks like the router can't reach CVS. I log onto the router
and ping CVS - all clear.
I then traceroute it - fine. I notice that (of course) when I ping, source
address if A.B.129.1 - which is right.
So I try ping -I E.F.G.246, which is "my" side of the router - everything
is fine. But then I notice in the logs
that I get a slew of messages: Neighbour table overflow. That's a routing
message, so I figure, I'll try
to send a "keepalive" while I continue testing, so I do
ping -i 60 A.B.1.65 and go on my merry way. Then I notice, that ping comes
back with a response for
pings sent from the A.B.129.1, then, a few seconds later, prints
From <hostname> E.F.G.246: Destination host unreachable.
But I did see replies sent from that interface!
Well, since there is netfilter on it (and no routed or gated) - can it be
responsible for this odd
behaviour? iptables -L -n shows nothing suspicious, basic ICMP is allowed
from anywhere,
all traffic is allowed from E.F.G.x, A.B.x.y -> E.F.G.x only related and so on.
I was going to put the -L -n output here, but considering the size I will
not, unless asked...
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Some go through, some don't...
2002-11-15 5:34 ` Some go through, some don't Tomasz Korycki
@ 2002-11-15 13:55 ` Arnt Karlsen
2002-11-25 19:57 ` Tomasz Korycki
0 siblings, 1 reply; 8+ messages in thread
From: Arnt Karlsen @ 2002-11-15 13:55 UTC (permalink / raw)
To: netfilter
On Fri, 15 Nov 2002 00:34:05 -0500,
Tomasz Korycki <engine2@flow.mine.nu> wrote in message
<5.1.0.14.0.20021115001532.00a071f0@mail.flow.north.net>:
>
> I was going to put the -L -n output here, but considering the size I
> will not, unless asked...
>
..put it on your web site and post the url here.
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Some go through, some don't...
2002-11-15 13:55 ` Arnt Karlsen
@ 2002-11-25 19:57 ` Tomasz Korycki
2002-11-25 23:44 ` Arnt Karlsen
0 siblings, 1 reply; 8+ messages in thread
From: Tomasz Korycki @ 2002-11-25 19:57 UTC (permalink / raw)
To: Arnt Karlsen; +Cc: netfilter
At 08:55 2002-11-15, Arnt Karlsen wrote:
>On Fri, 15 Nov 2002 00:34:05 -0500,
>Tomasz Korycki <engine2@flow.mine.nu> wrote in message
><5.1.0.14.0.20021115001532.00a071f0@mail.flow.north.net>:
> >
> > I was going to put the -L -n output here, but considering the size I
> > will not, unless asked...
> >
>
>..put it on your web site and post the url here.
Sorry, did not get a permission to post the listing, so I had to scratch my
own head.
And it turned out that it was, as I suspected, not a netfilter problem, but
a dodgy
switch port. After we moved the cable to another port, everything is just
fine. There
is a nice piece of red electrical tape over that hole now - I love such
simple solutions!
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Some go through, some don't...
2002-11-25 19:57 ` Tomasz Korycki
@ 2002-11-25 23:44 ` Arnt Karlsen
0 siblings, 0 replies; 8+ messages in thread
From: Arnt Karlsen @ 2002-11-25 23:44 UTC (permalink / raw)
To: Tomasz Korycki; +Cc: netfilter
On Mon, 25 Nov 2002 14:57:43 -0500,
Tomasz Korycki <engine2@flow.mine.nu> wrote in message
<5.1.0.14.0.20021125145506.00a77ec0@mail.flow.north.net>:
> At 08:55 2002-11-15, Arnt Karlsen wrote:
> >On Fri, 15 Nov 2002 00:34:05 -0500,
> >Tomasz Korycki <engine2@flow.mine.nu> wrote in message
> ><5.1.0.14.0.20021115001532.00a071f0@mail.flow.north.net>:
> > >
> > > I was going to put the -L -n output here, but considering the size
> > > I will not, unless asked...
> > >
> >
> >..put it on your web site and post the url here.
>
>
> Sorry, did not get a permission to post the listing,
..I asked you _not_ to, see above.
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: h.323 firewall
2002-11-14 18:18 h.323 firewall vincent blondel
2002-11-14 20:18 ` Rasmus Reinholdt Nielsen
@ 2002-11-14 20:37 ` Arnt Karlsen
2002-11-15 10:57 ` Thomas Heinz
2 siblings, 0 replies; 8+ messages in thread
From: Arnt Karlsen @ 2002-11-14 20:37 UTC (permalink / raw)
To: netfilter
On Thu, 14 Nov 2002 19:18:48 +0100,
"vincent blondel" <vincent.blondel@chello.be> wrote in message
<000d01c28c0a$473ff290$057ba8c0@wxcsmtp450>:
> Hi,
>
> I want to implement in our organisation a complete video conferencing
> infrastructure but I am completely novice
> in this matter. I read a lot of documentation these last days but
> there are some points that stay not clear.
>
> As you can see it above, we want to open domains DEV1 and DEV2 to the
> net for h.323 traffic.
>
> The current situation incorporates :
>
> 10.66.0.xxx
> +---------------+
> | SMC7008BR |
> +---------------+
> 10.66.1.xxx
> DEV2
> | |
> +---------+-+ +--+--------+
> | slack 8.0 | | Slack 8.0 |
> +-----------+ +-----------+
> 192.168.0.xxx +-----+ 10.66.0.xxx
> | pp0 |
> | +---------------+
> +--+--+ | switch
> |
> | +-----------
> | ----+
> | DMZ
> +-------+
> +-------------+
> | NS2 | | NS1
> |
> 10.66.0.xxx | HTTP2| | HTT1 |
> +---------------+ +-------+ | FTP
> +--ISP
> | SMC7008BR| | SMTP |
> +---------------+
> +-------------+
> 192.168.0.xxx
> 192.168.0.xxx
> DEV1
> | |
> +-----------+-+ +-+---------+
> | linux | .... | w2k |
> +-------------+ +-----------+
> GnomeMeeting NetMeeting
>
> - a firewall iptables on NS1 and NS2
> - communcication with the net is passing through our DMZ zone
> - DMZ integrates 2 servers linux slackware 8.0 / kernel 2.4.18 /
> patch-o-matic-20020825 / iptables 1.2.7a
> - DMZ is configured with nat feature for traffic between DEV1/DEV2 and
> the net
> - DEV1/DEV2 includes some 15 users with webcams and/or H323 compliant
> equipment.
>
> So the problems I encounter are the following :
...a wee problem in your ascii artwork:
try again with a _constant_width_ font.
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: h.323 firewall
2002-11-14 18:18 h.323 firewall vincent blondel
2002-11-14 20:18 ` Rasmus Reinholdt Nielsen
2002-11-14 20:37 ` h.323 firewall Arnt Karlsen
@ 2002-11-15 10:57 ` Thomas Heinz
2 siblings, 0 replies; 8+ messages in thread
From: Thomas Heinz @ 2002-11-15 10:57 UTC (permalink / raw)
To: vincent blondel; +Cc: netfilter
Hi Vincent
You wrote:
> The current situation incorporates :
>
> 10.66.0.xxx
> +---------------+
> | SMC7008BR |
> +---------------+
> 10.66.1.xxx
> DEV2
> | |
> +---------+-+ +--+--------+
> | slack 8.0 | | Slack 8.0 |
> +-----------+ +-----------+
> 192.168.0.xxx +-----+ 10.66.0.xxx
> | pp0 | +---------------+
> +--+--+ | switch |
> | +---------------+
> | DMZ
> +-------+ +-------------+
> | NS2 | | NS1
> |
> 10.66.0.xxx | HTTP2| | HTT1 |
> +---------------+ +-------+ | FTP +--ISP
> | SMC7008BR| | SMTP |
> +---------------+ +-------------+
> 192.168.0.xxx 192.168.0.xxx
> DEV1
> | |
> +-----------+-+ +-+---------+
> | linux | .... | w2k |
> +-------------+ +-----------+
> GnomeMeeting NetMeeting
The formatting is somewhat broken ;-)
> - I read yesterday that it is possible to concentrate h.323 connections on a
> gatekeeper as OpenH323 Gatekeeper
> ... do you think I have to use a gatekeeper with iptables ???
Yes, I'd recommend it. You might want to take a look at
http://www.gnugk.org. I'm using it in my private lan and it works just
fine although my lan's topology is a little simpler than yours ;-)
> So maybe you can find my questions stupid or without any sense but I repeat
> it I got no experience with this.
Your questions are definitely not stupid.
> So, with information I received I imagine to impelement my h.323
> infrastructure as mentionned below.
>
> - configuring iptables on NS1 (10.66.0.1) with the script mentionned above
> and replacing PCA_HOST with ip adress of NS2 (10.66.0.2)
> - installing OpenH323 gatekeeper on NS2 (10.66.0.2)
> - configuring all clients with gatekeeper NS2 (10.66.0.2).
What about using gatekeepers only? You can use gk's on NS1 and NS2 which
define each other as neighbours. Although I haven't tested this, it
should work.
With gnugk you can restrict the dynamic udp and tcp ports to stay
within a certain range whereby the range also restricts the number
of parallel connections. Anyway this solution implies that you have
to open all ports within the given ranges on NS1 in order to allow
incoming calls. This is not necessary for external calls.
Using netfilter's h323 module on NS1 would be a better solution
if you don't want to open the dynamic ports but I'm not sure whether
it works in your case. Just try it.
Please post your results as I believe that there are a lot of users
out there with similar problems.
Thomas
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2002-11-25 23:44 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-11-14 18:18 h.323 firewall vincent blondel
2002-11-14 20:18 ` Rasmus Reinholdt Nielsen
2002-11-15 5:34 ` Some go through, some don't Tomasz Korycki
2002-11-15 13:55 ` Arnt Karlsen
2002-11-25 19:57 ` Tomasz Korycki
2002-11-25 23:44 ` Arnt Karlsen
2002-11-14 20:37 ` h.323 firewall Arnt Karlsen
2002-11-15 10:57 ` Thomas Heinz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.